DescriptionOilpan: IDBCursor should be detached from IDBRequest when the IDBRequest stops
This CL fixes the following crash that is happening in oilpan bots flakily.
03:06:22.168 12926 worker/6 storage/indexeddb/cursor-basics.html crashed, (stderr lines):
03:06:22.168 12926 [6:653:0328/030621:3422205696:FATAL:indexed_db_dispatcher.cc(71)] Check failed: false. Re-instantiating TLS IndexedDBDispatcher.
03:06:22.168 12926 #0 0x7f46a76a8ea1 base::debug::StackTrace::StackTrace()
03:06:22.168 12926 #1 0x7f46a772265d logging::LogMessage::~LogMessage()
03:06:22.168 12926 #2 0x7f469cf602f6 content::IndexedDBDispatcher::ThreadSpecificInstance()
03:06:22.168 12926 #3 0x7f469cf78487 content::WebIDBCursorImpl::~WebIDBCursorImpl()
03:06:22.168 12926 #4 0x7f469cf78536 content::WebIDBCursorImpl::~WebIDBCursorImpl()
03:06:22.168 12926 #5 0x7f46a06bb02a WTF::OwnedPtrDeleter<>::deletePtr()
03:06:22.168 12926 #6 0x7f46a09150c3 WTF::OwnPtr<>::~OwnPtr()
03:06:22.168 12926 #7 0x7f46a09120a0 WebCore::IDBCursor::~IDBCursor()
03:06:22.168 12926 #8 0x7f46a0915bce WebCore::IDBCursorWithValue::~IDBCursorWithValue()
03:06:22.168 12926 #9 0x7f46a0915c00 WebCore::IDBCursorWithValue::~IDBCursorWithValue()
03:06:22.168 12926 #10 0x7f46a0911376 WebCore::IDBCursor::deref()
03:06:22.168 12926 #11 0x7f46a09118ff WTF::derefIfNotNull<>()
03:06:22.168 12926 #12 0x7f46a09115bb WTF::RefPtr<>::~RefPtr()
03:06:22.168 12926 #13 0x7f46a0910282 WebCore::IDBAny::~IDBAny()
03:06:22.168 12926 #14 0x7f46a06bb179 WTF::RefCounted<>::deref()
03:06:22.168 12926 #15 0x7f46a06baead WTF::derefIfNotNull<>()
03:06:22.168 12926 #16 0x7f46a09316a4 WTF::RefPtr<>::clear()
03:06:22.168 12926 #17 0x7f46a092eb91 WebCore::IDBRequest::checkForReferenceCycle()
03:06:22.168 12926 #18 0x7f46a092c096 WebCore::IDBRequest::deref()
03:06:22.168 12926 #19 0x7f46a092c033 WebCore::IDBRequest::derefEventTarget()
03:06:22.168 12926 #20 0x7f46a0494a79 WebCore::EventTarget::deref()
03:06:22.168 12926 #21 0x7f46a049552e WTF::derefIfNotNull<>()
03:06:22.168 12926 #22 0x7f46a083fe5d WTF::RefPtr<>::~RefPtr()
03:06:22.169 12926 #23 0x7f46a17aaf7a WebCore::Event::~Event()
03:06:22.169 12926 #24 0x7f46a046f8d9 WebCore::GarbageCollectedFinalized<>::finalizeGarbageCollectedObject()
03:06:22.169 12926 #25 0x7f46a046f833 WebCore::FinalizerTraitImpl<>::finalize()
03:06:22.169 12926 #26 0x7f46a046f5ac WebCore::FinalizerTrait<>::finalize()
03:06:22.169 12926 #27 0x7f46963f028b WebCore::HeapObjectHeader::finalize()
03:06:22.169 12926 #28 0x7f46963f0305 WebCore::FinalizedHeapObjectHeader::finalize()
03:06:22.169 12926 #29 0x7f46963f2ac8 WebCore::HeapPage<>::finalize()
03:06:22.169 12926 #30 0x7f46963f3a64 WebCore::HeapPage<>::sweep()
03:06:22.169 12926 #31 0x7f46963f4e2b WebCore::ThreadHeap<>::sweep()
03:06:22.169 12926 #32 0x7f46963f9f32 WebCore::ThreadState::performPendingSweep()
03:06:22.169 12926 #33 0x7f46963f9c9e WebCore::ThreadState::leaveSafePoint()
03:06:22.169 12926 #34 0x7f46963f1ae9 WebCore::ThreadState::SafePointScope::~SafePointScope()
03:06:22.169 12926 #35 0x7f46963f2a56 WebCore::GCScope::~GCScope()
03:06:22.169 12926 #36 0x7f46963f13d9 WebCore::Heap::collectGarbage()
03:06:22.169 12926 #37 0x7f46963f1402 WebCore::Heap::collectAllGarbage()
03:06:22.169 12926 #38 0x7f46963f8d41 WebCore::ThreadState::cleanup()
03:06:22.169 12926 #39 0x7f46963f8e1e WebCore::ThreadState::detach()
03:06:22.169 12926 #40 0x7f46a1fafad1 WebCore::WorkerThread::workerThread()
03:06:22.169 12926 #41 0x7f46a1faf7d6 WebCore::WorkerThread::workerThreadStart()
03:06:22.169 12926 #42 0x7f4698634f21 WTF::threadEntryPoint()
03:06:22.169 12926 #43 0x7f46986354fd WTF::wtfThreadEntryPoint()
03:06:22.169 12926 #44 0x7f469a330e9a start_thread
The cause of the crash is as follows:
(1) ~WorkerScriptController() calls m_world->dispose().
(2) m_world->dispose() disposes the last reference to an IDBRequest object.
(3) ~WorkerScriptController() calls didStopWorkerRunLoop().
(4) didStopWorkerRunLoop() destructs an IndexedDBDispatcher object in the Chromium side.
(5) At the end of the worker thread execution, ThreadState::detach() is called. ThreadState::detach() triggers a GC.
(6) The GC collects the IDBRequest object.
(7) ~IDBRequest() calls ~IDBCursor(), which touches the IndexedDBDispatcher object, which is already destroyed.
The problem here is that the IDBCursor is not detached from the IDBRequest when the IDBRequest::stop() is called (Note: IDBRequest::stop() is called when the associated execution context is stopped). This CL fixes the crash by clearing out IDBRequest::m_result in IDBRequest::stop().
BUG=340522
Patch Set 1 #
Total comments: 2
Patch Set 2 : #
Total comments: 4
Patch Set 3 : #Messages
Total messages: 30 (0 generated)
|